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I. INTRODUCTION 

The research on the oblivious transfer (OT) problem 
may be traced back to more than twenty years ago^jQl- 
KilianJ^ pointed out later that OT is very important 
in two-party and multi-party protocols. This is because 
in most symmetrical protocols, the participants always 
know each others' data. If some participants are dishon- 
est or try to get extra information, the protocols become 
insecure. OT can create some secret between the par- 
ticipants and break this symmetry. Thus it can be used 
to implement multi-party protocols such as two-party se- 
cure computation*?!. However, the security of classical 
cryptography usually has to be based on some strong 
computational assumptions, such as the hardness of fac- 
toring. If quantum computers become practical in the 
future, the validity of these assumptions can be broken 
easily Therefore significant interests have been paid 
to look for quantum methods applicable to cryptogra- 
phy to achieve better security @, Quantum oblivi- 
ous transfer (QOT) protocols were also proposed 8J. But 
they are secure only under the assumption that the par- 
ticipants cannot delay the quantum measurement. To 
fix the problem, Crepeau'^ proposed a QOT protocol 
based on quantum bit commitment (QBC). It was fur- 
ther proven by Yao 0| that such a QOT is secure if 
QBC is secure. Nevertheless, it was indicated later by 
Mayers, Lo and Chau that all the QBC protocols for- 
merly proposed!^ ITU are insecure. Furthermore, it was 
concluded that unconditionally secure QBC scheme can- 
not be achieved in principle which is referred to 
as the Mayers-Lo-Chau (MLC) no-go theorem and is a 
serious drawback in quantum cryptography. According 
to the theorem, all QBC basedprotocols are insecure, 
including quantum coin tossingia ll4L lisl Il6l | and quan- 
tum oblivious mutual identification [13. Consequently, 
QOT based on QBC is insecure unless the participants 
are restricted to individual measurementsllq. 



On the other hand, starting with QBC is not the only 
way to implement QOT. Therefore, it is natural to ask 
whether we can design a QOT protocol with stand-alone 
security. Although it was concluded independently that 
other two-party quantum secure computations including 
QOT are not possible either 0, the conclusion is 
essentially based on a crucial point that the quantum 
state used in the two-party computation protocols is the 
simultaneous eigenstate of different measurement opera- 
tors, which follows from two basic requirements in their 
definition of the so-called ideal one-sided two-party se- 
cure computation^^: Alice helps Bob to compute a pre- 
scribed function f{i,j) in such a way that, at the end of 
the protocol, (a) Bob learns f{i,j) unambiguously, and 
(b) Alice learns nothing. In this paper, a novel quan- 
tum OT protocol is proposed, which is neither based on 
QBC nor satisfying rigorously the requirement (a); but 
it indeed meets the rigorous security requirement of the 
OT definition. Therefore, our OT protocol is a kind of 
two-party secure computation different from that defined 
by Lo in Ref.0 and thus evades the Lo's no-go theorem 
of the one-sided two-party secure computation, allowing 
more quantum-cryptography applications than thought 
possible previously. 

In the next section, a new QOT protocol is elaborated 
in details. Then a general proof of its unconditional secu- 
rity is presented in Sec. HI. Finally, the relationship be- 
tween the protocol and the no-go theorems is addressed. 



II. THE SCHEME 

Although there are various types of OT, as a typical il- 
lustration, we here focus only on a basic type OT studied 
m Refs.fllig, which is also called all-or-nothing OT. A 
sender Alice wants to transfer a secret bit b G {0, 1} to a 
receiver Bob. At the end of the protocol, either Bob could 
learn the value of b with the reliability (which means the 
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probability for Bob's output b to be equal to Alice's in- 
put) 100%, or he has zero knowledge on b. Each possibil- 
ity should occur with the probability 1/2, and which one 
happens finally is out of their control. Meanwhile, Alice 
should learn nothing about which event takes place. 

Consider an ideal case without transmission error. 
Similar to the conjugate coding 2], letting |0)_|_ and 
denote the two orthogonal states of a qubit, we can 
define \r) ^ = (|0)+ + (-1)'^ |l) + )/x/2 (r = 0,1), the 

Bell states $± = (|0)^ |0)_^ ± |1)_^ \l)^)/V2, and *± = 
(|0)+ |1)+ ± |1)+ |0) + )/\/2 , where + (x) stands for the 
rectilinear (diagonal) basis. The key idea of our protocol 
is: Alice and Bob share many sets of 4 qubits in an en- 
tangled state IV') (see Eq.l^) below). To each set, four 
two- value parameters q, r, c, and d are associated, where 
{q, r} and {c, d} correspond respectively to the state {ip) 
and the choice/measurement of individual participant; 
the form of \tjj) designed by us ensures that Alice cannot 
decode simultaneously any two of q, r and d, and Bob 
cannot decode c and q (or r) simultaneously. Relying on 
appropriate verification and use of state, a secure OT can 
be achieved. 

For easy readability, before presenting a complete ver- 
sion of our protocol, we first account for the details in 
several key procedures comprehensibly. 

(i) Preparation of the states: 

Our protocol is based on the four-qubit entangled state 
with the following form 

- (|0)+|0)+|0)+|0) + 
+ |1)+|1)+|0)+|1) + 
+ |0)J0)J1)+|0) + 

+ |l>x|l>x|l)+|l> + )/2- (1) 

Bob prepares many sets of such states. For each set, he 
keeps systems Bi and B2 and sends systems Ai and A2 
to Alice. 

(ii) Alice inputting c: 

In Alice's point of view, Bob sends her any of the four 
two-qubit states \r)^\r)^ (g G x}, r € {0,1}) with 
the equal probability. Now let us consider Alice's strat- 
egy to decode either q or r. In the Bell basis 

Co = {$+,$-,*+,*-}, (2) 

the four possible \r)^\r)^ can be expressed as 

|0)+|0)+ = (<i>+ + $-)/^/2, 

|1)+|1>+ = i^+-^-)/V2, 

|0)x|0)x = (*+ + *+)/V2, 

|l>xll)x = (*+ - *+)/V2. (3) 

If Alice measures systems Ai and A2 in the Cq basis, she 
will know that q = + {q = x) if the outcome is <i>~ (^'^). 



While if the outcome is she will not know the value 
of q. Since Eq.lQJ can be rewritten as 

|^)=a>-|0>+|l),/2 +vI/+|l)^|l),/2 

+$+|0)j0), /V2, (4) 

it can be seen that the probability for Alice to decode q 
successfully is 1/2. 

On the other hand, defining the basis 

Ci EE {|0>, |0)+ , |0>, |1>+ , |1), |0)+ , |1), |1) + }, (5) 

|r)^ \r)^ can be expressed as 

|0)+|0)+ = (|0)j0)+ + |l)j0)+)/x/2, 

|1>+|1)+ = (|0)Jl)+-|l)Jl)+)/V2, 

|0)xlO)x = (|0)j0)+ + |0)Jl)+)/\/2, 

|l>xll)x = (|l)x|0)+-|l)x|l>+)/V2. (6) 

That is, if Alice measures them in the Ci basis, she will 
know that r = (r = 1) if the outcome is 10)^ |0)_|_ 
(|1)^ |1) + )) while she does not know r if the outcome is 
|0)x |1)^ or |1)^ |0)^. Again, rewriting Eq. as 

1^) - |0)j0)+|0)j0)+/2-|l)Jl)^|0)Jl)^/2 
+ |0)Jl)+vi/+/2+|l)jO)+ $+/2, (7) 

we see that the probability for Alice to decode r success- 
fully is also 1/2. Also, since the bases Co and Ci are not 
commutable, Alice cannot decode the values of q and r 
simultaneously (A rigorous proof will be provided in the 
next section). 

In our protocol, Alice should randomly picks a different 
bit c e {0, 1} for each set of 1-0) at this stage. If c = 
(c = 1), she tries to decode q (r) by measuring her share 
of the set in the Co (Ci) basis. After she measures all 
IV'), she will decode either q or r successfully for about 
half of these sets, while she fails to decode anything for 
the other half. She tells Bob to discard the half which 
she failed to decode, while keeps the rest sets of \ip) in 
the following steps. 

Bob can verify whether Alice has input c and finished 
her measurement by picking randomly some \^) from the 
remaining half, and asking Alice to announce either q 
or r, depending on what she decoded. To find out the 
correct value of q or r, as can be seen from Eq.l^, Bob 
can simply measures systems Bi and B2 of the picked 
IV') in the basis 

Do EE {|0)+ |0)+ , |0)+ |1)+ , |1)+ |0)^ , |1)+ |1)^}. (8) 

Then he learns which \r)^ \r)^ systems Ai and A2 can 
collapse to. If Alice has delayed her measurement or 
adopted any other measurement which is less efficient 
than the above strategies on decode g or r with certainty, 
she cannot always announce g or r correctly, or she has 
to discard more than half of the sets. Therefore a dis- 
honest Alice will inevitably be caught as the increase of 
the number of \^) picked for the verification. 
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Nevertheless, to pass the verification, Alice needs 
not to perform complete measurement in the Cq 
(Ci) basis. She can simply try to project systems 
Ai and A2 to the subspace supported by {$",5'"'"} 
({|0>x , |l)x |1)+})- If the projection fails, she tells 
Bob to discard the corresponding \tp). While if the pro- 
jection is successful, she keeps systems Ai and A2 en- 
tangled with Bi and B2 without collapsing them into a 
pure state $^ or ^+ (|0)^ |0)+ or She fin- 

ishes the complete measurement to make them collapse 
only when the corresponding is picked for the verifi- 
cation. Therefore in general, the state of the remaining 
undiscarded and unverified sets of \ip) is either 

^W) = |0>^ |1>, /V2 + |1)+ /V2 (9) 

if c = 0, or 

V'^'^) = |0), |0)+ |0), \0)^/V2-\l), |1>+ |0), \1)^/V2 

(10) 

if c = 1. After the verification, Alice and Bob keep these 
\ip) and proceed. 

(iii) Bob inputting d: 

Since the state of systems Bi and B2 are different in 
Eqs.Q and Bob can learn Alice's choice of c or 

her outcome s with a certain probability. Here Alice's 
outcome s is defined as 

.-(^' /^^S' (11) 
\ r, (c = 1), 

where Q = 0, 1 for q ~ +, x. From Eq.lQJ we can see 
that if Bob measures systems Bi and B2 in the Dq ba- 
sis defined in Eq.Q and the outcome is |0)^ |0)_,_ (or 
|1)+ |l)+)i he will know that systems Ai and A2 can only 
collapse to the state |0)_,_ |0)_,_ (or |l)x)- These two 
states have the common feature Q — r. Thus Bob knows 
that s — {s = 1) despite he does not know c. 

Note that at this stage, jV') already collapsed to 
or IV'^^-') by Alice's measurement. With the Dq basis, 
they can be expressed as 

= [<i>-(|0)+|0)+-|0)+|l) + ) 

+vI/+(|l)^|0>+-|l>+|l) + )]/2, (12) 

and 

^^'^) = [|0)J0)+(|0)+|0)+ + |1)+|0) + ) 

-|l)Jl>+(|0)+|l>+ + |l)+|l>+)]/2.(13) 

Thus the probability for Bob to decode s successfully is 
1/2. 

On the other hand, defining the basis 
Di ^ {|0), |0), , |0), |1), ,|1), |0), ,|1), |1) J, (14) 
or IV'''"'"-') can be expressed as 

V-^"^) = ($--*+) |l)x |l>x /2 + (<i>-+*+) |0), |1), /2, 

(15) 



and 

i^^'^) = (|o)xlo)+-|i)xli>+)|o)xlo)x/2 

+ (|0)xl0)+ + |l)x|l> + )|0)x|l>x/2.(16) 

If Bob measures systems Bi and B2 in the Di basis, he 
will know that c = (c = 1) if the outcome is |1)^ |1)^ 
(|0)x |0)x)' while he does not know c if the outcome is 
\0)^ |1)^. The probabihty for him to decode c success- 
fully is also 1/2. Again, Bob cannot decode the values 
of s and c simultaneously since the bases Dq and Di are 
not commutable. 

In the protocol. Bob randomly picks a different bit 
d S {0,1} for each remaining set of where d = 
should occur with the probability p = 2/3 (we will see 
later why this value is chosen). If d = (d = 1), he 
tries to decode s (c) by measuring his share of the set 
in the Dq (Di) basis. After he measures all sets of \ip), 
he will decode either s or c successfully for about half of 
those sets, while he fails to decode anything for the other 
half. He tells Alice to discard the half which he failed to 
decode, while keeping the rest for the following steps. 

Similar to (ii), Alice can verify whether Bob has in- 
put d and finished his measurement honestly by picking 
randomly some {ip) from the remaining half, and asking 
Bob to announce either s or c, depending on what he 
decoded. She should also check whether Bob has indeed 
input d — with the required probability p = 2/3, and 
whether the number of discarded | ip) is about a half. 

Also, Bob needs not to perform a complete measure- 
ment in the Dq (Di) basis to pass the verification. If 
he has chosen d = {d = 1), he simply tries to 
project systems Bi and B2 to the subspace supported by 
{|0)+|0);,|1)+|1) + } ({|0)J0),,|1)J1)J), and dis- 
cards \ip) if the projection fails. He finishes the complete 
measurement to make the undiscarded \ip) collapse only 
when it is picked for the verification. Therefore after the 
verification, the state of the remaining unverified {ip) is 

^("0)) = ($- |0)^ |0)+ - VI/+ |1)^ |l) + )/V2 (17) 

if c = and 0? = 0, or 

= (|0)x |0)+ |0)+ |0)+ - |1), |1)+ |1)+ |l) + )/^/2 

(18) 

if c = 1 and d = 0, or 

^(°i)) = ($--*+)|l)Jl),/y2, (19) 
if c = and d = 1, or 

^^"^) = (|0)x |0)+ - |l)x |1> + ) |0)x |0)x /V2, (20) 

if c = 1 and d = 1. 

Before using these states for the OT, Bob must prevent 
Alice from knowing his choice of d for each of them. It 
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can be accomplished with the following method. 
and \tP^^°^) can be rewritten as 

^("0)^ = ($- + ■qj+)<i>-/2 + - *+)$+/2, (21) 

and 

V't^o)) = (|o)jo)+ + |i)Ji)+)a>-/2 

+ (|0)x|0)+-|l)x|l>+)'i>+/2. (22) 

If Bob has chosen d = 0, he tries to project systems 
Bi and B2 to the state and tells Alice to discard 
the corresponding \^) if the projection fails. Then the 
remaining IV'^""^) and IV'^^"^) collapse to 

^(OO'^)J) ^ ($-_*+)$+/ V2, (23) 

and 

^(i°'^)) = (|0)jO)+-|l)Jl) + )<i>+/x/2. (24) 

We can see that the states of systems Ai and A2 of 
l^j(ooa)^ and |-(/'''^°"'') (which are corresponding to d = 0) 
are exactly the same as those of 1';/;^°-'^)) and |^(^^)) (cor- 
responding to d = 1) respectively. Therefore Alice can 
by no means distinguish them apart so she cannot know 
d from the remaining lip). 

Now let us explain why Bob should choose d = with 
the probability p — 2/3. Eqs.|(2U and show that 
half of the corresponding to d = will be further 
discarded when collapsing I^/jC^")^ and |^^-'-°)) to |-(/''*'°'^'') 
and Meanwhile, no corresponding to d = 1 

will be discarded after Alice has verified Bob's action. 
Therefore among all the remaining 1-0), d = and d = 1 
will occur with the equal probability 1/2, which will be 
useful below. 

(iv) Completing the OT: 

At this stage, for any remaining l-tp), Alice knows her 
own choice c but not Bob's choice d, while Bob has chosen 
d = (i.e. he does not knows c) and d = 1 (he knows c) 
with the equal probability 1/2. Thus Alice can randomly 
pick any one of the remaining {ip), and use c to encode 
the bit b she wants to transfer. If by chance Bob knows 
c for this chosen he can decode b successfully. Else 
he knows nothing about b. Because the two results will 
occur with the equal probability 1/2, the goal of OT is 
accomplished. 

The above procedure is summarized as the protocol 
below, with the corresponding schematic flow chart being 
illustrated in Fig.l. 

Protocol OT 

(1) Preparation of the states: Bob prepares n sets of 
IV') as described in Eq.lQ). He keeps systems Bi and B2 
of each and sends systems Ai and A2 to Alice; 

(2) Alice inputting c: 



(2-1) For each jV'), Alice views the state of systems 
Ai and A2 as \r)^ \r)^, and she randomly picks c € {0, 1}. 
If c = 0, She tries to decode q by projecting the two 
qubits into $~ and and she sets q = + {q = x) ii 
the outcome is $^ (^^)- Else if c = 1, Alice tries to 
decode r by projecting the two qubits into |0)^ |0)^ and 
|1)^ + i and she sets r = (r = 1) if the outcome is 

|0)J0)+ (|l)Jl)+); 

(2-2) If the projection in (2-1) fails, Alice tells Bob 
to discard the corresponding 

(3) Verification 1: 

(3-1) If the number of the remaining is n' ^ 
n/2 they continue [2l|. else they abort the procedure; 

(3-2) Bob randomly picks some of the remaining 
and asks Alice to announce either their q or r de- 
pending on the value of c. To check Alice's announce- 
ment. Bob measures '0-BiV'B2 the Dq basis, and uses 
the result to calculate g, r that corresponds to ipAi'^A^^] 

(3-3) Alice randomly picks some other remaining 
IV') and asks Bob to announce both q and r. Bob per- 
forms the same measurement in (3-2) to obtain q, r to 
announce; 

(3-4) If {no conflicting results were found by both 
participants} AND {the probabilities for j?')^ I?')^^ = 
|0)+ |0) + , \r)^ \r)^ = |1)+ |1) + , |r), \r) ^ ^ jO), jO), and 
\r)q\r)^ — |1)^ |1)^ to occur are approximately the 
same}, they keep the remaining undiscarded and unver- 
ified IV') and continue; 

(4) Bob inputting d: 

(4-1) For each of the remaining m sets of |V'), Bob 
picks d = with the probability p = 2/3 and d = 1 
with the probability (1 — p) = 1/3. If d = 0, he tries to 
decode s (defined as Ea. ((TT)l ) by projecting V'BiV'B2 iiito 
the subspace supported by {|0)_,_ |0)_,_ , |1)_|_ |1)^}. Else 
if d — 1, Bob tries to decode c by projecting "ipBitpB^ 
into |1)^ |1)^ and 10)^ |0)x- If the outcome is 11)^ |l)x 
X |0) X )' knows that Alice has chosen c = (c = 1); 

(4-2) If the projection in (4-1) fails. Bob tells Alice 
to discard the corresponding jV'); 

(5) Verification 2: 

(5-1) If the number of the remaining |V') is about 
m/2 they continue; else they abort the procedure; 

(5-2) Alice randomly picks some of the remain- 
ing IV') and asks Bob to announce either c or s depend- 
ing on the value of d. Note that if d — 0, Bob needs 
to complete the measurement on V'-BiV'-B2 the basis 
{|0)+ |0)+ 1 and he announces s = (s = 1) if 
the outcome is |0)_^ |0)_^ (|1>_^ |1)_^); 

(5-3) If {no conflicting results were found} AND 
{d = occurs with the probability 2/3}, they keep the 
remaining undiscarded and unverified jV') and continue; 

(6) Bob preventing Alice from knowing d: For each 
remaining |V') which Bob has chosen d = 0, he tries to 
project V'BiV'-B2 i'^to the state and tells Alice to dis- 
card the corresponding jV") if the projection fails; 

(7) OTpart: 

(7-1) Alice randomly picks one of the remaining 
IV') and tells Bob 6' = 6 © c; 
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(7-2) If Bob has chosen d = 1 for this \4>) he cal- 
b' ® c. Else he knows that he fails to get 



culates h 
h. 



III. PROOF OF SECURITY 

We now prove generally that the protocol is secure 
against any cheating strategy in three steps: (I) the form 
of IV') limits the knowledge of Alice and Bob; (II) the 
verifications limit both participants' behaviors to honest 
ones; and (III) if Bob does not prepare j?/)) honestly, his 
knowledge on the data will be even worse. 



Alice 



Inpul 



Eq.(4) 



Eq.(7) 



Discai'd if fail to decode 



|V^™) (Eq.(9)) 1^"') (Eq.(lO)) 



Bob 



Prepare the slates 



(Eq.(l)) 




Id = 1 d = 01 Id = d = 1 1 

Eq.(15) Eq.(12) Eq.(13) Eq.(16) 

J I I u 



Discard if fail to decode 



T" 



(Eq.(19)) (Eq.(17)) (Eq.(18)) (Eq.(20)) 
—I I I 



Verification 2 



Discard if i/'n, )*'t'* 
I I 




FIG. 1: A schematic flow chart of Protocol OT. The boxes 
on the left (right) represent the local operations on Alice's 
(Bob's) side, while the middle ones are those requiring collab- 
oration of them. The width of the lines denote qualitatively 
the number of the states. 



(I) For the state given in Q), Alice cannot learn 
q, r and d simultaneously with the reliability 100%, and 
Bob cannot learn s and c simultaneously with the relia- 
bility 100%. 

Proof: Let po (pi) denote the reduced density matrix 
of the quantum state on Alice's side corresponding to 
q = qo and r = ro {q ^ qo and r ^ rp). To make 
sure that q — qo and r ~ tq simultaneously, Alice needs 
to distinguish po from pi. It can be proven that the 
optimal strategy for her to identify po with the reliability 
100% is to measure the states in the basis in which pi is 
diagonalized. Supposing that po and pi are expressed in 
this basis with p(k, I) denoting the element of the matrix 
p, the maximum probability for identifying pQ is 



ke{k\pi(k,k)=0} 



(25) 



When li/j) takes the form as specified in Eq.(^), it is shown 
that {k\pi{k^k) = 0} = (the empty set) regardless of 
the values of q and r. Therefore pomax — 0, which means 
that Alice can never learn the exact values of q and r si- 
multaneously with the reliability 100%. Similarly, it can 
also be proven that Bob cannot learn s and c simultane- 
ously with the reliability 100%. 

As for d, by comparing Eas. lfTO|l with if^ and Eas. lt^ 
with respectively, we can see that after the step (6), 
the final states of systems Ai and A2 are exactly the same 
regardless Bob's choice of d. Therefore Alice cannot learn 
d as long as the protocol can indeed force the participants 
to perform the honest measurement. This leads us to the 
next point of the proof. 

(II) For the state IV'), the steps (3-1) and (3-2) can 
force Alice to measure the states honestly in the step (2), 
and the step (5) can force Bob to measure the states hon- 
estly in the step (4)- 

Proof: Consider Alice's cheating first. Suppose that 
in the step (3-2), there are totally 6n' sets of j-i/') which 
have not been measured by Alice honestly. Instead, she 
applies a minimal-error measurement or even delays the 
measurement. Then she does not know their g or r with 
the reliability 100%, but only with a reliability being not 
larger than e. As Bob picks randomly many \^) to check 
if Alice knows g or r, the probability for Alice to pass 
the test is Meanwhile, since only one lip) is ran- 

domly picked for the OT at the final stage, the probabil- 
ity for these S sets of to be picked is not greater than 
^min(5„',™) Cl„,Cliri/C:^. The order of magnitude of 
this probability is 0(6) as long as n >> to. Therefore 
the total probability for Alice to cheat successfully is 
bounded by 0((5)eO(*"), which can be made arbitrarily 
small as n — > CX3. 

Thus Alice cannot use the minimal-error measurement, 
but has to use the measurements which always decode q 
or r with the reliability 100%. Here it is shown that 
the honest measurement is the optimal one among all 
these measurements. Using the method described in (I), 
let Po and pi be the density matrices for q = -\- and x 
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respectively (being independent of r). In the Bell ba- 
sis, both pq and pi are diagonalized. The maximum 
probabilities for Alice to identify them are the same: 
Pomax = Pi max — 1/2, which Can be reached simulta- 
neously in the same measurement. Thus the maximum 
probability for Alice to decode q with the reliability 100% 
isp = (pomax+Pimax)/2 = 1/2. And the Operation in the 
step (2) is just the strategy that can reach this maximum. 
The calculation of the maximum probability for Alice to 
decode r successfully is a little bit more complicated. In 
this case, po (for r = 0) and pi (for r = 1) cannot be 
diagonalized simultaneously, and the maximum proba- 
bility p < (pomax +Pimax)/2. But wc Can scc that when 
Alice chooses to decode r in the step (2), if the corre- 
sponding projection succeeds, she immediately gets 1 bit 
of information; while the projection fails, po and pi col- 
lapse to the same density matrix, i.e., the upper bound 
of the average information that can be gained from the 
resultant final states is zero. This fact implies that Al- 
ice had already drawn as much information as possible 
from the states she received. Therefore when r = and 
r — 1 occur with the same probability, the strategy in 
that step is exactly the optimal one for her to get r with 
the reliability 100%. The maximum probability of this 
procedure is also p — 1/2. Namely, Alice cannot decode 
q or r unambiguously with a probability higher than that 
of the honest measurement. 

As a result, if Alice makes her measurement without 
using the correct method in the step (2) or even delays 
her measurement until Bob announces which sets of \^p) 
picked for the verification in the step (3-2), either she 
cannot reach the maximum efficiency such that she has 
to discard more data than what is allowed in the step 
(3-1), or there will inevitably be some undiscarded q or 
r whose reliability is only e < 100%. She cannot pass 
the test with a nontrivial probability, because in the step 
(3-2) it is no longer allowed to discard the data that she 
fails to decode. For this reason, Alice has to follow the 
protocol honestly. 

Repeating the above procedure, we can obtain the sim- 
ilar result for the case in which Bob applies the minimal 
measurement or other dishonest measurements. Bob has 
to choose d — Q and d = 1 with the specified ratio and 
use the method in the step (4) to measure all ipBi''pB2- 
Else he will only have a probability 0{S)e'^^^™'' to cheat 
without being caught. 

From the above (I) and (II), we can see that the goal 
of OT can be achieved, as long as the initial state 
takes the specific form given in Eq. ^ . This allows us to 
proceed to the last but not the least part of the proof. 

(Ill) Steps (3-3) and (5) are able to force Bob to pre- 
pare the states honestly. 

Proof: The step (5) requires Bob to show that he has 
indeed input d for all the remaining j?/;) (i.e., he already 
got c or s with the reliability 100%), while only about 
m/2 sets are allowed to be discarded. Therefore for the 
same reason in (II), in the step (4) the probability for 
Bob to get c with the reliability 100% should reach 1/2. 



We shall prove that, if Bob does not prepare the initial 
states honestly, this probability will drop, or he will not 
pass the test in the step (3-3). 

Let us first study what constrain will be put on the 
initial states by the step (3-3). There may exist many 
cheating strategies for Bob. But they can all be described 
by the following model. Bob sends Alice a quantum sys- 
tem a which is entangled with another system (3. He 
performs any POVMs|22| on j3 to get as much informa- 
tion as he can. A general form of the entangled system 
a (g) /? is 

\i^)=Y.fk\ak)\(3k). (26) 

k 

Alice can check the partial density matrix pa — 
X]fe l'0) ('01 /3fe) of system a with her measurement in 
the step (3-3). Therefore to make Alice believe that he is 
honest. Bob has to prepare a®(3va. such a way that pa is 
much the same as that of 4'Ai'4'A2 in the honest protocol. 
Thus for each single set of\tp), the state of such a system 
can be expanded as 

W= E fr,,\r),\r)^\Br,,). (27) 

re{0,l},ge{ + ,x} 

Bob sends Alice the first two qubits, and keeps the last 
part on his side as (3. Generally (3 can include any systems 
at Bob's side and the environment, and even the systems 
Ai and A2 from other sets of jV') at Alice's side. But Bob 
does not know beforehand which \^) will be picked for the 
test in the step (3-3). So he needs to prepare (3 with the 
following property: once the corresponding is picked, 
he can always measure f3 and get q, r unmistakably. Thus 
(3 has to contain the systems on Bob's side only, and all 
the states \Br.q) with different q, r need to be orthogonal 
to each other. 

We now evaluate the amount of information on c that 
Bob can obtain with such a state. Suppose that ji/i) even- 
tually survives through the step (3). This state can be 
expressed as 

W = {J2fr.,'^^\Br.,)+J2{-iyfr. + '^>-\Br, + ) 

r,q r 

+ Y.^-irfr,x.'i'+\Br,x))/V2. (28) 
r 

Since Alice already included this ji/') in what she decoded 
with the reliability 100%, if what she decoded is g, i. e., 
she has chosen c — Q, she must have found or in 
her measurement. From this equation, we can see that 
the system [3 must have collapsed into 



\B',) ^ Y.^-lYfr,+ \Br, + ) I Y.fr,+ (29) 
r y r 

or 



\B[) ^Y.^-iyfr.-\^r,.) / . J2f?.x- (30) 



7 



Similarly, if c = 1 , /? must have collapsed into 



|5i')^E/Mi5i..)/jE/M 



(31) 



(32) 



the cheat sensitive protocols !24j. the detection of cheat- 
ing in our protocol will not cause the secret bit of OT 
to be revealed. As a result, the present Protocol OT 
is unconditionally secure. As our proof is based on the 
density matrices of the quantum states, rather than on 
a specific cheating strategy, our conclusion is general no 
matter what computational power the participants may 
have and what POVMs they may apply. 



Therefore if Bob can distinguish from {|-Bfc)}i 

knows Alice's choice of c. Define 



and 



k 



(33) 



(34) 



The upper bound (Holevo bound) of the average infor- 
mation Bob can get is 



lav = S[{po + Pl)/2] - [5(po) + S{pi)]/2, 



(35) 



where the von Neumann entropy is S{p) = ^Tr{p\og2 p) 
|23|. From the symmetry of the equation, it can be seen 
that lav will go to its extremum when Bob chooses fr^q = 
1/2 for all r, q. It is found that this extremum is the 
maximum. That is, if Bob prepares the initial state as 

\^)- E |r)Jr)jS„,)/2, (36) 
re{o,i},«e{+,x} 

the probability for him to get c with the reliability 100% 
will be maximized. In the previous paragraph, it is shown 
that all I -Br,?) need to be orthogonal. For illustration, it 
is natural to choose 



\Br,q) = \Q)+\r) 
where Q = 0, 1 for (jf = +, x . Then 



(37) 



|s;> = |fc>+|l>. 



|0)Jfc)_ 



(fc = 0,1). 
(38) 

We can see that po and pi are diagonalizcd simultane- 
ously in the basis that Bob uses in the projection in the 
step (4). Therefore this projection is just the optimal 
strategy for Bob to decode c, and the maximum proba- 
bility for the decoding to be successful is 1/2. If Bob does 
not prepare the initial state in this way, this maximum 
probability cannot be reached as lav is not optimized. 
Similar to the proof in (II), the probability for him to 
pass steps (5) can be made arbitrarily small as m — > oo. 

Combining points (I)- (III), we can conclude that the 
probability for Alice to know whether Bob gets b or not 
(or the probability for Bob to get b in more than 50% 
of the cases) is expressed as 0{S)e^^^'''^ (or 0((5)e'^(''™'), 
which is arbitrarily small by increasing n, m. Also, unlike 



IV. RELATIONSHIP WITH THE NO-GO 
THEOREMS 

A. The Lo's no-go theorem of quantum secure 
computations 

Though the above general proof of security against all 
possible cheating strategies seems complicated, the rea- 
son why this protocol can evade the cheating in the Lo's 
no-go theorem is clear. As mentioned in the introduc- 
tion, the protocol does not satisfy the requirement (a) 
(Bob learns a prescribed function f{i,j) unambiguously) 
in Rcf. 19], on which the no-go proof is based. This is 
because Bob cannot learn the value of b unambiguously 
in our protocol. Instead, he only learns b with the proba- 
bihty 50%. In the other 50% case, he has zero knowledge 
on b. In addition, rigorously speaking, the outcome of 
our protocol cannot be viewed as a prescribed function 
f{i,j)- The outcome depends not only on Alice's and 
Bob's inputs i and j, but also on the quantum uncer- 
tainty in the measurement. For example, in the step (4) 
of our protocol, Bob's inputting d = 1 does not mean that 
he can certainly obtain the value of c. Due to the quan- 
tum uncertainty in his measurement, he can only obtain 
c successfully with the probability 50%. As a result, the 
quantum state in our protocol is not the simultaneous 
eigenstate of different measurement operators that the 
participant uses for determining the parameters wanted 
by him (e.g., s and c). He knows whether he gets a 
parameter successfully only if the measurement is per- 
formed. Then the state is disturbed, so that it cannot be 
used to get more parameters. Thus the protocol is secure 
against the cheating strategy in Ref. 19]. On the other 
hand, the definition of all-or-nothing OT only requires 
that at the end of the protocol, the two outcomes "Bob 
learns the value of 6" and "Bob has zero knowledge on 
&" should occur with the equal probability 50%; while it 
never requires that which outcome finally happens must 
be controlled only by the participants' inputs. Clearly, 
our protocol satisfies the rigorous definition of secure all- 
or-nothing OT. 



B. The MLC no-go theorem of secure QBC 

Our result does not conflict with the MLC no-go theo- 
rem of secure QBC, because this no-go theorem does not 
apply directly to QOT (otherwise the Lo's no-go the- 
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orem of quantum secure computation would be redun- 
dant). Let Pi denote an all-or-nothing QOT protocol. 
Surely it does not implement QBC automatically. In- 
stead, another protocol P2 is needed, which makes use 
of the output of Pi to accomplish QBC. The MLC no-go 
theorem reveals that the entire protocol P1+P2 cannot be 
secure. Then there are two possibilities: Pi is insecure, 
or P2 is insecure (if not both) . But as we already proved 
rigorously in Sec. Ill, our all-or-nothing QOT protocol 
is unconditionally secure against any cheating strategy. 
Therefore the existence of the MLC no-go theorem im- 
plies that secure P2 is impossible. 

Indeed, though BC and OT are thought to be classi- 
cally equivalent, "reductions and relations between clas- 
sical cryptographic tasks need not necessarily apply to 
their quantum equivalents" j25j . So far there are two 
known methods to construct P2 in classical cryptography, 
which all fail at the quantum level. One of the method is 
to repeat all-or-nothing OT many times 3J. More rigor- 
ously, according to Ref. BC is realized by encoding 
the committed bit as b = &i © 62 ® ... © 6fe, and send- 
ing each bi from Alice to Bob through an all-or-nothing 
OT process. However, the resultant protocol is insecure 
because altering anyone of the bi can flip the value of 
the committed bit completely. Alice can simply execute 
the protocol honestly. If she wants to change the com- 
mitted bit at the final stage, she simply announces one 
of the bi dishonestly. Since Bob knows bi at half of the 
cases only, Alice can cheat successfully with the proba- 
bility 1/2. Thus the scheme is broken. Another known 
method to realize BC from OT in classical cryptography 
is to build an l-out-of-2 0T|2^ from all-or-nothing 
OT, and use the l-out-of-2 OT to implement BC. But 
once again, it has to rely on the classical equivalence be- 
tween l-out-of-2 OT and all-or-nothing 0T[2g|, which 
needs re-examination at the quantum level. As pointed 
out in Ref. classical reduction would be applicable in 
quantum cryptography if a quantum protocol can be used 
as a "black box" primitive in building up more sophisti- 
cated protocols. However, we found recentlyf28'| that the 
l-out-of-2 OT protocol built upon the present quantum 
all-or-nothing OT protocol with the scenario developed 
in Ref.|2^ is not rigorously a "black box" type quantum 
l-out-of-2 OT specified in Ref. 19]. Especially, the inputs 
of the two participants are not independent of each other. 
Such a quantum l-out-of-2 OT cannot be used to imple- 
ment secure QBC with the method described in Ref. |29| . 
The reason lies in that the step (2) of the protocol de- 
scribed in Ref.|22j is inexecutable as Alice's input cannot 
be completed before Bob's input is entered. Thus the 
method also fails. Of course there may exist other meth- 
ods to construct P2 , but due to the presence of the MLC 



no-go theorem, they are all bound to be insecure. In this 
sense, the classical reduction chain from OT to BC is bro- 
ken in the present quantum case, and thus there exists 
no logic conflict between the present secure all-or-nothing 
QOT and the MLC no-go theorem of QBC. 

V. SUMMARY AND DISCUSSIONS 

In all, we proposed an quantum all-or-nothing oblivi- 
ous transfer protocol based on quantum entangled states, 
and proved that it is unconditionally secure against any 
cheating strategy. It was also illustrated how the proto- 
col evades the Lo's no-go theorem of the one-sided two- 
party secure computation, as well as that the security of 
our QOT does not conflict with the MLC no-go theorem 
of QBC. 

The existence of secure QOT protocol is important 
not only for multi-party protocols, but also for a bet- 
ter understanding of quantum theory. According to re- 
cent results |30|, three fundamental information-theoretic 
constrains, namely, the impossibilities of (i) superlumi- 
nal information transfer between two physical systems 
by performing measurements on one of them; (ii) broad- 
casting the information contained in unknown physical 
states; and (iii) unconditionally secure bit commitment, 
may suffice to entail that the observables and state space 
of a physical theory are quantum-mechanical. There- 
fore, clarifying the boundary between the capability and 
limitation of quantum cryptography, as well as the re- 
lationship between classical cryptography and its quan- 
tum counterpart, can certainly enrich our knowledge 
for searching the answer to Wheeler's query "Why the 
quantum" [SOj . 

Finally, it is worth pinpointing that a QBC protocol 
somewhat similar to ours was proposed|3lj: both proto- 
cols start with a 4-level system on Alice's side and rely 
on a verification procedure to avoid cheating . However, 
as pointed out by the authors, what they achieved in 
Ref.[3l| was merely an analog to OT, which does not 
meet the rigorous security requirement of the OT defi- 
nition; in fact, they merely attempted to use the analog 
to realize a QBC protocol. In contrast, our protocol in- 
cludes a further crucial verification on Bob's side, pos- 
sessing at least three advantages: (i) the strict require- 
ment of OT is met; (ii) the stand-alone security is proven 
to be unconditional; and (iii) it is convenient to modify 
ours to be a p-OT protocol^. 

We thank Hoi-Fung Chau and Hoi-Kwong Lo for 
their useful discussions. The work was supported by 
the RGC grant of Hong Kong (HKU7114/02P and 
HKU7045/05P). 
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